A teaching moment - A look at techniques for keeping emails secrets, and their use [Updated]

Nov. 13, 2012 - "Instead of 'Dead Dropping,' Petraeus and Broadwell Should Have Used These Email Security Tricks," is the headline to this article by Ryan Gallagher of Slate, states that:

... if Petraeus and Broadwell had been savvy enough to use encryption and anonymity tools, their affair would probably never have been exposed. If they had taken advantage of PGP encryption, the FBI would have been able to decipher their randy interactions only after deploying Trojan-style spyware onto Broadwell’s computer. Further still, if the lovers had only ever logged into their pseudonymous Gmail accounts using anonymity tools like Tor, their real IP addresses would have been masked and their identities extremely difficult to uncover.

But then it is unlikely that they ever expected to come under FBI surveillance. Their crime was a moral one, not a felony, so there was no real reason to take extra precautions. In any other adulterous relationship a pseudonym and a dead drop would be more than enough to keep it clandestine, as my Slate colleague Farhad Manjoo noted in an email.

Broadwell slipped up when she sent the harassing emails—as that, as far as we know, is what ended up exposing her and Petraeus to surveillance. Whether the harassment was serious enough to merit email monitoring is still to be established, as Emily Bazelon writes on “XX Factor.” It goes without saying, however, that the real error here was ultimately made by Petraeus. If he had stayed faithful to his wife of 38 years in the first place, he’d still be in charge at the CIA—and I wouldn’t be writing about how he could have kept his adultery secret more effectively by using encryption.

Today, Nov. 16, in a long NY Times story titled "Trying to Keep Your E-Mails Secret When the C.I.A. Chief Couldn’t", Nicole Perlroth makes many of the same points and discusses the same techniques/software. For example:

Technically speaking, the undoing of Mr. Petraeus was not the extramarital affair, per se, it was that he misunderstood the threat. He and his mistress/biographer, Paula Broadwell, may have thought the threat was their spouses snooping through their e-mails, not the F.B.I. looking through Google’s e-mail servers.

“Understanding the threat is always the most difficult part of security technology,” said Matthew Blaze, an associate professor of computer and information science at the University of Pennsylvania and a security and cryptography specialist. “If they believed the threat to be a government with the ability to get their login records from a service provider, not just their spouse, they might have acted differently.”

To hide their affair from their spouses, the two reportedly limited their digital communications to a shared Gmail account. They did not send e-mails, but saved messages to the draft folder instead, ostensibly to avoid a digital trail. It is unlikely either of their spouses would have seen it.

But neither took necessary steps to hide their computers’ I.P. addresses. According to published accounts of the affair, Ms. Broadwell exposed the subterfuge when she used the same computer to send harassing e-mails to a woman in Florida, Jill Kelley, who sent them to a friend at the F.B.I.

Authorities matched the digital trail from Ms. Kelley’s e-mails — some had been sent via hotel Wi-Fi networks — to hotel guest lists. In cross-checking lists of hotel guests, they arrived at Ms. Broadwell and her computer, which led them to more e-mail accounts, including the one she shared with Mr. Petraeus.

The long story concludes:

It is hard to pull off one of these steps, let alone all of them all the time. It takes just one mistake — forgetting to use Tor, leaving your encryption keys where someone can find them, connecting to an airport Wi-Fi just once — to ruin you.

“Robust tools for privacy and anonymity exist, but they are not integrated in a way that makes them easy to use,” Mr. Blaze warned. “We’ve all made the mistake of accidentally hitting ‘Reply All.’ Well, if you’re trying to hide your e-mails or account or I.P. address, there are a thousand other mistakes you can make.”

In the end, Mr. Kaminsky noted, if the F.B.I. is after your e-mails, it will find a way to read them. In that case, any attempt to stand in its way may just lull you into a false sense of security.

Some people think that if something is difficult to do, “it has security benefits, but that’s all fake — everything is logged,” said Mr. Kaminsky. “The reality is if you don’t want something to show up on the front page of The New York Times, then don’t say it.”

[More] An ACLU blog has a good Nov. 13th article by Chris Soghoian, headed "Surveillance and Security Lessons From the Petraeus Scandal."

The article is quoted in this Nov. 14th story by Peter Maass in The New Yorker News Desk. A quote:

[T]he Petraeus scandal appears to show just how much surveillance the F.B.I. and other law-enforcement agencies can conduct without a judge or a company telling them, “No, you can’t have that.”

For instance, in its semiannual transparency report, Google announced this week that it receives more requests for user data from the U.S. government than any other government in the world, and that those requests rose twenty-six per cent in the latest six-month reporting period, to nearly eight thousand; the company said that it complied with ninety per cent of the requests, either fully or partially. * * *

It’s not just e-mail. In July, Representative Edward Markey, a Democrat from Massachusetts, cajoled major cell-phone carriers into disclosing the number of requests for data that they receive from federal, state, and local law-enforcement agencies: in 2011, there were more than 1.3 million requests. As ProPublica reported at the time, “Police obtain court orders for basic subscriber information so frequently that some mobile phone companies have established websites—here’s one—with forms that police can fill out in minutes. The Obama Administration’s Department of Justice has said mobile phone users have ‘no reasonable expectation of privacy.’”

There’s a particularly cruel irony in all of this: if you contact your cell-phone carrier or Internet service provider or a data broker and ask to be given the information on you that they provide to the government and other companies, most of them will refuse or make you jump through Defcon levels of hops, skips, and clicks. Uncle Sam or Experian can easily access information that shows where you have been, whom you have called, what you have written, and what you have bought—but you do not have the same privileges.

[Updated] Ashby Jones and Joe Palazzolo have this Nov. 16th post in the WSJ Law Blog, headed "Affair Highlights Uncertainty of Email-Privacy Laws."

The Indiana Court of Appeals gave the go-ahead Friday for a trial to determine whether a former LaPorte High School volleyball coach failed to report an illegal sexual relationship between another coach and a student athlete.

MaryBeth Lebo faces two misdemeanor charges of failing to report child abuse or neglect for allegedly not informing the school, police or Department of Child Services that Robert Ashcraft was engaged in a sexual relationship with the 15-year-old girl.

Lebo is also accused of instructing players not to tell anyone about Ashcraft's 2007-08 relationship with the girl, according to court records.

Ashcraft, 48, was convicted last year of four felonies involving sexual misconduct and sentenced to 21 years in prison.

Lebo argued in her appeal the charges were barred by the two-year statute of limitations and were not specific enough to prove she was aware of Ashcraft's illegal acts.

In a 2-1 decision, the appeals court rejected Lebo's statute-of-limitations claim because Lebo allegedly helped conceal Ashcraft's crime. The court also said the failure to report child abuse is a continuing offense under which the duty to report exists so long as a person is aware of the abuse.

In addition, the court said Indiana law does not require actual knowledge of child abuse to prompt a report, just a "reason to believe" abuse is occurring.

The Ashcraft relationship details in the charges against Lebo -- including his leaning on the girl's legs during a movie, putting his arm around her and acting like boyfriend and girlfriend -- met that standard, the appeals court said.

Judge John Baker dissented from that portion of the court's ruling.

He said, in retrospect Ashcraft's actions suggest an inappropriate relationship, but at the time "there is no way that a person in a similar position as Lebo would 'feel certain' that Ashcraft was engaging in illegal sexual acts."

According to court documents, Lebo felt uncomfortable with Ashcraft's physical overtures toward the girl during the 2007-2008 season but instructed her student players not to tell anyone what was going on. Lebo was charged in 2011 with failing to inform police or child protective services.

Lebo claimed the charges didn't prove she was aware of the relationship and that they weren't filed within the two-year statute of limitations.

But the appeals court said the allegations were strong enough to support the charge that Lebo helped to conceal Ashcraft's behavior. The judges ruled that under state law, even a suspicion of sexual abuse must be reported.

The court also said the clock didn't begin running on the statute of limitations until authorities became aware of her actions.

Ind. Courts - Monroe County "Courthouse now shinier and more solid after major makeover"

Dawn Hewitt reported Nov. 16th in the Bloomington Herald Times ($$) in a story that bgeins:

Monroe County’s iconic, grand old courthouse hasn’t looked this good since it was dedicated in 1907, and it has never been more structurally sound.

Its renovation, restoration and refurbishment were on public display during an open house Thursday night following work that shuttered it for more than a year.

Most of the work wasn’t visible: It’s under the floors, behind the ceiling and walls. A new structural support system will keep the building strong for its second century and beyond.

A year and a half ago, floors sagged — a couple inches out of level in spots. The building appeared to be slowly collapsing in on itself. New steel beams in the ceilings of the basement, first and second floors and in the walls should prevent that from happening again for a very long time.

Open house visitors also didn’t get to see the basement, where a new, energy-efficient boiler and chiller are housed. Replacing them wasn’t part of the original rehab plan, but it made sense to do while the whole building was being overhauled.

And while the ceilings and walls were ripped up, the building was rewired for the Internet age.

The bottom line: $5,015,615.63, not all from taxpayers. The Community Foundation for Bloomington and Monroe County footed the bill for historic preservation work. Cable franchise fees paid for the new lighting sound systems in the Nat U. Hill meeting room, where county council and commissioners meetings are broadcast on CATS TV.

Cassady Electric and Gayle Cook paid for a new lighting system that spotlights the murals just below the dome — murals recently cleaned by experts from the Indiana University Hope School of Fine Arts.